You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by Bisakh Mondal <bi...@gmail.com> on 2021/08/30 14:36:42 UTC

[DISCUSS] Support for Viewer Accounts @ Apache APISIX Dashboard

Hi Community,

This is Bisakh. This thread is regarding an issue/request [1] in
the apisix-dashboard project to support a *viewer account *that basically
can be used by non-admin users (users with low access privileges). These
accounts will be purely view-only, users of these accounts are restricted
to perform any sort of change/modification to the gateway internal state.

Now, coming to the implementation part I am proposing the following
approach. As we are working on our authentication framework to support
dynamic user registration and login, I think we can extend the
implementation in two phases:

Phase - 1 [Implementing viewers account]

The dashboard is for the authenticated users, we definitely can work on top
of the authentication framework by storing another field something similar
to `"restrict-full-access": bool` in the etcd for each user extending the
current schema that we have [2]. The info gets encoded into the existing
jwt and passed to the web-ui / CLI on a successful sign in.
We will add middleware or modify the existing one to restrict the protected
routes (here HTTP methods, allow only GET requests (maybe selectively, we
can maintain a list here), no POST, PUT, PATCH and DELETE).
And for the frontend part, we can cache the info in a react state while
receiving the jwt from the backend and perform all sorts of restrictions.

Phase - 2 [Implementing mechanism to manage viewers account- IAM]

Now, still, there is another question left, how we/admins are going to
manage it?
I am proposing an *IAM* (Identity and Access Management) section into the
dashboard (both in manager API and dashboard web) that can be used to

- List all available members.
- Upgrade/Downgrade certain members for from/to viewers account
- Blacklist certain users from further using the dashboard instance for a
certain period/permanently.

Let me know how it sounds. Looking forward to your feedback : ) Thank you.

Best regards,
Bisakh <https://github.com/bisakhmondal>

[1] : https://github.com/apache/apisix-dashboard/issues/1825
[2] :
https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216

Re: [DISCUSS] Support for Viewer Accounts @ Apache APISIX Dashboard

Posted by Zhiyuan Ju <ju...@apache.org>.

Hi,

As for authentication in this project, it's using a JSON file to store all
users, could we use some libraries like Casbin to implement this?

Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>


Bisakh Mondal <bi...@gmail.com> 于2021年8月30日周一 下午10:37写道：

> Hi Community,
>
> This is Bisakh. This thread is regarding an issue/request [1] in
> the apisix-dashboard project to support a *viewer account *that basically
> can be used by non-admin users (users with low access privileges). These
> accounts will be purely view-only, users of these accounts are restricted
> to perform any sort of change/modification to the gateway internal state.
>
> Now, coming to the implementation part I am proposing the following
> approach. As we are working on our authentication framework to support
> dynamic user registration and login, I think we can extend the
> implementation in two phases:
>
> Phase - 1 [Implementing viewers account]
>
> The dashboard is for the authenticated users, we definitely can work on top
> of the authentication framework by storing another field something similar
> to `"restrict-full-access": bool` in the etcd for each user extending the
> current schema that we have [2]. The info gets encoded into the existing
> jwt and passed to the web-ui / CLI on a successful sign in.
> We will add middleware or modify the existing one to restrict the protected
> routes (here HTTP methods, allow only GET requests (maybe selectively, we
> can maintain a list here), no POST, PUT, PATCH and DELETE).
> And for the frontend part, we can cache the info in a react state while
> receiving the jwt from the backend and perform all sorts of restrictions.
>
> Phase - 2 [Implementing mechanism to manage viewers account- IAM]
>
> Now, still, there is another question left, how we/admins are going to
> manage it?
> I am proposing an *IAM* (Identity and Access Management) section into the
> dashboard (both in manager API and dashboard web) that can be used to
>
> - List all available members.
> - Upgrade/Downgrade certain members for from/to viewers account
> - Blacklist certain users from further using the dashboard instance for a
> certain period/permanently.
>
> Let me know how it sounds. Looking forward to your feedback : ) Thank you.
>
> Best regards,
> Bisakh <https://github.com/bisakhmondal>
>
> [1] : https://github.com/apache/apisix-dashboard/issues/1825
> [2] :
> https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216
>